CVE-2020-7390

Sage X3 Syracuse Persistent XSS in Edit User page

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Sage X3 Stored XSS Vulnerability on ‘Edit’ Page of User Profile. An authenticated user can pass XSS strings the "First Name," "Last Name," and "Email Address" fields of this web application component. Updates are available for on-premises versions of Version 12 (components shipped with Syracuse 12.10.0 and later) of Sage X3. Other on-premises versions of Sage X3 are unaffected or unsupported by the vendor.

Una Vulnerabilidad de tipo XSS almacenado en Sage X3 en la página "Editar" del perfil de usuario. Un usuario autenticado puede pasar cadenas de tipo XSS los campos "First Name", "Last Name" y "Email Address" de este componente de la aplicación web. Unas actualizaciones están disponibles para las versiones locales de la versión 12 (componentes enviados con Syracuse versiones 12.10.0 y posteriores) de Sage X3. Otras versiones locales de Sage X3 no están afectadas o no son compatibles por parte del proveedor

*Credits: Jonathan Peterson, Aaron Herndon, Cale Black, Ryan Villarrea, and William Vu, all of Rapid7, and Vivek Srivastav of Cobalt Labs

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-01-21 CVE Reserved
2021-07-22 CVE Published
2023-03-08 EPSS Updated
2023-11-07 First Exploit
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (3)

URL	Tag	Source
https://rapid7.com/blog/post/2021/07/07/sage-x3-multiple-vulnerabilities-fixed	Broken Link

URL	Date	SRC
https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities	2023-11-07

URL	Date	SRC
https://www.sagecity.com/gb/sage-x3-uk/f/sage-x3-uk-announcements-news-and-alerts/147993/sage-x3-latest-patches	2023-11-07

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sage Search vendor "Sage"	Syracuse Search vendor "Sage" for product "Syracuse"	>= 12.0 < 12.10.0 Search vendor "Sage" for product "Syracuse" and version " >= 12.0 < 12.10.0"	-	Affected	in	Sage Search vendor "Sage"	X3 Search vendor "Sage" for product "X3"	12.0 Search vendor "Sage" for product "X3" and version "12.0"	-	Safe